A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 20 Jan 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` | |
| References |
| |
| Metrics |
cvssV3_0
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published:
Updated: 2026-01-20T20:41:55.317Z
Reserved: 2025-09-16T15:00:07.875Z
Link: CVE-2025-59465
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-01-20T21:16:04.010
Modified: 2026-01-20T21:16:04.010
Link: CVE-2025-59465
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.